Baseline Standards of Care

This document defines the baseline standards of care for Information Systems in use at Oregon State University. Baseline standards of care are system configuration and operational practices and procedures designed to protect the confidentiality, integrity, and availability of data housed on those systems.

These classifications are additive, meaning that a device needs to meet the standards of its classification level and those from any less restricted level also. Confidential information has the most restrictions, and unrestricted has the least. The classifications can be viewed here: http://is.oregonstate.edu/ois/data-classification-data-element

To make sure that your iPhone has the most current operating system you’ll want to go into the Settings app and choose the General settings. Within that you want the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is one simply follow its instructions to download and install it, which may require a restart your phone.

To make sure that your Android has the most current operating system you’ll want to go into the Settings app and choose About phone. Then under that you, select the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is an update simply follow its instructions to download and install it, which will restart your phone.

Updating

When a software update is available for you to download, Microsoft will notify you so you can download it directly to your phone over a Wi-Fi or cellular data connection. (Your phone will need 3G or greater to download updates over a cellular data connection.)

If you don't have enough storage space on your phone to get an update and you have an SD card inserted in your phone, we might be able to update your phone using the SD card. Support for using your SD card for updating your phone depends on your phone model and manufacturer.

How to check for updates manually

> Phone update.

Tap Check for updates.

Note:

Windows Phone will let you know when new updates are available. If you check manually for an expected update and your phone appears to be up to date, it may be that it isn't available yet for your specific phone, mobile operator, or market.

Recommended: Patched and officially supported version of the operating system, current antivirus client, and user name and password required for all accounts.

Updating the OS:

To ensure that your operating system is up to date click on the apple icon in the upper left corner of your screen and select “About This Mac”. The following window will open up, in which you then click on “Software Update…”

This will then launch the App Store, where a software update will appear if there is one. Simply hit “Update” next to it to begin the update process. Be aware that this may require your computer to restart.

You can then check that it was successful by opening “About This Mac” again and seeing the new version listed.

Password protection:

To enable or update your password protection settings hit the apple icon in the upper left corner of your screen and select “System Preferences…”. This will open the window below, on which you then want to click “Security & Privacy”.

Within that you want to click on the lock icon in the bottom left corner of the menu, which will prompt you to enter your password, and unlock all of the options.

Now you can change your password, change the time before it’s required, and disable automatic lock.

Antivirus:

If your computer is University owned it should already have System Center Endpoint Protection installed. You can manage the settings and preferences by clicking on the icon in the upper right corner of your screen.

If your computer is not university owned then simply purchase an antivirus software of your choice and follow their instructions to get it set up.

Updating the System

There is one thing to understand about updating Linux: Not every distribution handles this process in the same fashion. In fact, some distributions are distinctly different down to the type of file types they use for package management.

Ubuntu and Debian use .deb

Fedora, SuSE, and Mandriva use .rpm

Slackware uses .tgz archives which contain pre-built binaries

And of course there is also installing from source or pre-compiled .bin or .package files.

We will cover the Ubuntu and Fedora systems using both the GUI as well as the command line tools for handling system updates.

Ubuntu Linux

Ubuntu uses two different tools for system update:

apt-get: Command line tool.

Update Manager: GUI tool.

Figure 1: Ubuntu Update Manager.

The Update Manager is a nearly 100% automatic tool. With this tool you will not have to routinely check to see if there are updates available. Instead you will know updates are available because the Update Manager will open on your desktop (see Figure 1) as soon as the updates depending upon their type:

Security updates: Daily

Non-security updates: Weekly

If you want to manually check for updates, you can do this by clicking the Administration sub-menu of the System menu and then selecting the Update Manager entry. When the Update Manager opens click the Check button to see if there are updates available.

Figure 1 shows a listing of updates for a Ubuntu 9.10 installation. As you can see there are both ImportantSecurity Updates as well as Recommended Updates. If you want to get information about a particular update you can select the update and then click on the Description of updatedropdown.

In order to update the packages follow these steps:

Check the updates you want to install. By default all updates are selected.

Click the Install Updates button.

Enter your user (sudo) password.

Click OK.

The updates will proceed and you can continue on with your work. Now some updates may require either you to logout of your desktop and log back in, or to reboot the machine.

Once all of the updates are complete the Update Manager main window will return reporting that Your system is up to date.

Figure 2: Updating via command line

Now let's take a look at the command line tools for updating your system. The Ubuntu package management system is called apt. Follow these steps to run it:

Open up a terminal window.

Issue the command sudo apt-get update.

Then the command sudo apt-get upgrade.

Enter your user's password.

Look over the list of available updates (see Figure 2) and decide if you want to go through with the entire upgrade.

To accept all updates click the 'y' key (no quotes) and hit Enter.

Watch as the update happens.

That's it. Your system is now up to date. Let's take a look at how the same process happens on Fedora (Fedora 12 to be exact).

Fedora Linux

Fedora is a direct descendant of Red Hat Linux, so it is the beneficiary of the Red Hat Package Management system (rpm). Like Ubuntu, Fedora can be upgraded by:

yum: Command line tool.

GNOME (or KDE) PackageKit: GUI tool.

Figure 3: GNOME PackageKit.

Depending upon your desktop, you will either use the GNOME or the KDE frontend for PackageKit. In order to open up this tool you simply go to the Administration sub-menu of the System menu and select the Software Update entry. When the tool opens (see Figure 3) you will see the list of updates. To get information about a particular update all you need to do is to select a specific package and the information will be displayed in the bottom pane.

To go ahead with the update click the Install Updatesbutton. As the process happens a progress bar will indicate where GNOME (or KDE) PackageKit is in the steps. The steps are:

Resolving dependencies.

Downloading packages.

Testing changes.

Installing updates.

When the process is complete, GNOME (or KDE) PackageKit will report that your system is update. Click the OK button when prompted.

Now let's take a look at upgrading Fedora via the command line. As stated earlier, this is done with the help of the yum command. In order to take care of this, follow these steps:

Figure 4: Updating with the help of yum.

Open up a terminal window (Do this by going to the System Tools submenu of the Applications menu and select Terminal).

Enter the su command to change to the super user.

Type your superuser password and hit Enter.

Issue the command yum updateand yum will check to see what packages are available for update.

Look through the listing of updates (see Figure 4).

If you want to go through with the update enter 'y' (no quotes) and hit Enter.

Sit back and watch the updates happen.

Exit out of the root user command prompt by typing "exit" (no quotes) and hitting Enter.

Recommended: Patched and supported version of the operating system, current antivirus client, username and password required for all accounts.

Patches :In order to make sure your windows workstation is patched open up the start menu. In the search field type in “Windows Update” and click on the program

Patching

In here you will either see that Windows is up to date or what updates are available to be installed.

Supported versions: As of this writing, anything above windows XP is still supported by Microsoft. Windows Vista support will be dropped 4/11/2017

Antivirus:

Windows 7: On Windows 7 to find out if you have antivirus installed click the start button and enter the control panel. Then click System and Security. There will then be an option to click “Review your computer’s status” in there you will be able to see if you have virus protection or not. NOTE: Some antivirus products don’t report themselves to windows. If you believe that you have antivirus installed simply search for it on your computer and make sure that it runs if it isn’t being reported to windows.

Required: Patched and supported version of the operating system, username and complex password required for all accounts, all unused services disabled, system dedicated to server functions only (no web browsing, etc.)

Microsoft Windows:

Required: Patched and supported version of the operating system, current antivirus client, login required by GPO, use of service accounts only, complex passwords with minimum length, system dedicated to server functions only (no web browsing, etc.)

Required Standards of Care for Sensitive Information includes all recommended and required standards for Unrestricted Information plus:

Access to Sensitive Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Sensitive Information is limited to legitimate need, with copies limited to individuals with a business need to know.

Access to Sensitive Information is assigned by role pursuant to standards approved by the OSU Data Trustee

Lock screen

To set a lock screen and passcode perform the following steps. Open the settings app and then enter the security menu. In there select Screen lock. Choose anything other than “None” or “Swipe” this will both enable the lock screen and provide a sufficient passcode.

Disable notifications on locked screen:

To disable notification on the lock screen enter the settings app and then tap on Sound & notification. In here scroll down until you find the Notification section. Tap on “When device is locked and switch to “Don’t show notifications at all”

Encrypting device

Note: This only applies to devices running Android 5.0 (Lollipop) and above. Some older devices also support encryption but it will be device specific.

To encrypt your device open the settings app and tap on security. There will be an “Encrypt phone” option. Tap on this and then read through the information. Tapping the encrypt phone button will begin the encryption process.

Encrypting SIM

To encrypt your sim card enter the settings app and then tap on Security. You will find a section called “SIM card lock” Tap this. In this menu tap Lock sim card. You will then be able to change the pin to your choosing.

iPhone:

Setting a lock screen and passcode:

To set or change your passcode go into the Settings app and select “Touchscreen & Passcode”. Within that hit “Turn Passcode On” to create one. Of you already had one you’ll be prompted to enter it first. When you choose to turn it on or change it you can choose which type of passcode you’d like. You can do the simple 4-digit numeric code, or opt for a more secure option of setting your own passcode of the length you choose. After setting your new password we recommend testing it out a few times to make sure you remember it.

Notifications on Lock Screen disabled:

To disable notifications on the Lock Screen simply toggle the “Notifications View” switch to deactivate it and any others you’d like turned off.

Encrypting the SIM:

To encrypt the SIM go into the settings app, select Phone, and then SIM PIN. IMPORTANT: The PIN number is network provided and you should not activate the switch without already knowing the PIN!

Windows phone

Required: Passcode required,

Setting or changing a password

Windows Phone 8

From the home screen, tap Settings, and then select lock screen.

Scroll down to "Password". To set a password for the first time, slide the "Password" bar to On.

For all of the following you’ll want to click the apple icon in the upper left corner and select the “System Preferences…” menu.

Firewall:

To turn the firewall on select “Security & Privacy” and click the Firewall tab. The click the lock in the bottom corner and enter your password to allow changes. Once that’s done you can select “Turn On Firewall” and the icon should turn green, indication it is now on.

Disabling Unused startup services:

To disable services you don’t need to launch upon startup, select the “Users & Groups” menu and uncheck any ones you don’t want.

Disabling Printer and File Sharing:

To disable the sharing of devices and data, go to the “Sharing” menu and deselect any that may be turned on.

Auto-update:

To configure auto-updates choose the “App Store” menu and make sure that “Automatically check for updates” is checked.

Gatekeeper to allow App Store and Identified Developers only:

Under the “Security & Privacy” menu, in the “General” tab, make sure that the “Mac App Store and identified developers” radio button is selected.

Required:

Host-based firewall active,

About iptables

iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

sudo apt-get install iptables

Firestarter , but iptables isn’t really that hard once you have a few commands down. You want to be extremely careful when configuring iptables rules, particularly if you’re SSH’d into a server, because one wrong command can permanently lock you out until it’s manually fixed at the physical machine.

Types of Chains

iptables uses three different chains: input, forward, and output.

Input– This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

Forward– This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.

There’s one sure-fire way to check whether or not your system uses/needs the forward chain.

iptables -L -v

The screenshot above is of a server that’s been running for a few weeks and has no restrictions on incoming or outgoing connections. As you can see, the input chain has processed 11GB of packets and the output chain has processed 17GB. The forward chain, on the other hand, has not needed to process a single packet. This is because the server isn’t doing any kind of forwarding or being used as a pass-through device.

Output– This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.

The caveat

Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains.

Policy Chain Default Behavior

Before going in and configuring specific rules, you’ll want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection doesn’t match any existing rules?

To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.

As you can see, we also used the grep command to give us cleaner output. In that screenshot, our chains are currently figured to accept traffic.

to deny all input connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.

iptables --policy INPUT DROP

iptables --policy OUTPUT ACCEPT

iptables --policy FORWARD ACCEPT

Connection-specific Responses

With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.

Accept– Allow the connection.

Drop– Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.

Reject– Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.

Allowing the connection:

Dropping the connection:

Rejecting the connection:

Allowing or Blocking Specific Connections

With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.

Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.

Connections from a single IP address

This example shows how to block all connections from the IP address 10.10.10.10.

iptables -A INPUT -s 10.10.10.10 -j DROP

Connections from a range of IP addresses

This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.

iptables -A INPUT -s 10.10.10.0/24 -j DROP

or

iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP

Connections to a specific port

This example shows how to block SSH connections from 10.10.10.10.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.

This example shows how to block SSH connections from any IP address.

iptables -A INPUT -p tcp --dport ssh -j DROP

Connection States

As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?

That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.

Saving Changes

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:

Ubuntu:

sudo /sbin/iptables-save

Red Hat / CentOS:

/sbin/service iptables save

Or

/etc/init.d/iptables save

Other Commands

List the currently configured iptables rules:

iptables -L

Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.

To clear all the currently configured rules, you can issue the flush command.

Firewall:

To check if your firewall is active in windows enter the Control Panel and type in “Windows Firewall” Under the Control Panel section select Windows Firewall. You will then be presented with the present state of your Windows firewall. If you have a firewall provided by another antivirus product you will need to look up with that product how to check if your firewall is active.

Lock screen enabled:

To make sure the authentic windows login screen appears turn on requiring ctrl-alt-delete to be pressed. To do this Bring up the startmenu and go into control panel. Then click on user accounts, then again on user accounts. As an admin you will then be presented with the option to manage user accounts, click on this. Under the advanced tab you can then enable secure logon by clicking on the check box that says “Require users to to press Ctrl+Alt+Delete”

Auto Login:

To disable autologin on a windows machine first open the start menu and then enter the control panel. Then in the Control Panel click on User Accounts. Again click on User Accounts and then Manage User Accounts. In this window if there is the option for autologin there will be a check box near the top of the screen with the text “Users must enter a username and password to use this computer”. Check this box to disable autologin. If this checkbox doesn’t exist autologin is already permanently disabled.

File and Printer sharing:

To disable file and printer sharing Go to Start > Control Panel > Network and Internet > Network and Sharing Center and click the link for Advanced sharing settings. On this page make sure to Turn off file and printer sharing. Also make sure to turn off public folder sharing and network discovery.

Windows auto-update:

To enable windows autoupdating: Start> Control Panel > Turn automatic updating on or off (Under Windows Update). In here change the value to Install updates automatically

Remote access:

In order to change settings related to remote acces: Start > Control Panel > System and Security > System > Remote Settings. To Disable Remote assitance you can uncheck the box at the top and then also select “Don’t allow connections to this computer to disable Remote Desktop. If remote access is a must you must then select Allow connection only from computer running Remote Desktop with Network Level Authentication and then select the users that can use remote access, limiting selections to only those that need it.

Standards of Care for Confidential Information includes all recommendations and requirements for Unrestricted Information and Sensitive Information plus:

Access to Confidential Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Confidential Information is limited to legitimate need, with copies limited to individuals with a business need to know, and must be labeled “Confidential.” A signed confidentiality agreement is required, both for accessing and viewing confidential information in any format.

Access to Confidential Information is assigned by role pursuant to standards approved by the OSU Data Trustee

Storage of Confidential Information on Paper or other physical media:Physical access to paper documents containing confidential information must be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.

Use of elevated privileges (administrative privileges) shall only be used when needed to perform an administrative task. Daily tasks must be performed using a normal user account.

Network Security:Systems housing or regularly accessing Confidential Information must be in isolated network segments, protected with a physical firewall or equivalent using a “default deny” rule set; firewall rule sets, including changes, must be approved by the Office of Information Security. An Intrusion Detection System (IDS) hosted by the Office of Information Security must monitor this segment. Systems within these segments cannot be visible to the entire Internet, nor to unprotected subnets. An inventory of systems authorized to be on that subnet will be kept and the subnet regularly scanned/monitored for unauthorized systems. The Office of Information Security will perform authenticated vulnerability scan of these networks quarterly and will inform cognizant support teams of scan results requiring corrective action; vulnerabilities will be addressed during the next normal patching cycle unless other remediation is established or an exception granted.

Transmission of Confidential Information: Under no circumstances shall Confidential Information be transmitted across an unsecured network in clear text. In particular, it should be noted that email is not by default an encrypted means of transmission and any Email containing confidential information is subject to this restriction.

For the occasional transfer of data via email, file attachments should be encrypted using, at a minimum, an 128-bit symmetric-key algorithm, such as the Advanced Encryption Standard (AES). Microsoft Office encryption meets this standard. Key (password) sharing must be through a different mechanism than that used for transmission, such as a phone call.

For departments that have a business need to transfer confidential information on a regular basis via email, the use of a program that utilizes both symmetric and asymmetric key encryptions, such as PGP or equivalent, is strongly recommended.

Required: University-owned device, Locked screen after 5 minutes of inactivity, long passcode, 256-bit symmetric-key device encryption, device must wipe data after 10 failed attempts, the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found, use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device, SIM card lock/PIN, location services off, disable cloud synchronization for passwords and data, syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited.

iPhone:

Wipe Data after 10 Attempts:

Simply toggle the “Erase Data” switch.

Location Services Off:

To turn off Location services select the “Privacy” menu in the Settings app. Then hit “Location Services” at the top of that menu. Then simply toggle the switch to turn off all location services.

Android:

Lock screen after 5 minutes of inactivity:

In order to set your lock screen timeout launch the settings app. Then tap Display. In display you can set the Sleep setting. This must be after 5 minutes or less.

Turn off location services:

To turn off location services enter the settings app and then Tap Location. You will be presented with a screen with a toggle on top. Toggle to off to disable location on the device.

Turn off cloud synchronization:

To turn off cloud syncronization on an android device open the settings app and then tap on Backup & reset. In here you can tap on “Back up my data” and turn it to off in order to disable the synchronization.

Locked screen after 5 minutes of inactivity:

the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found,

use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device,

SIM card lock/PIN

To turn on SIM security

> Call settings.

Turn on SIM security.

When prompted to Enter SIM PIN, enter the PIN for your SIM card by doing one of the following:

If this is the first time a PIN has been set for the SIM card in your phone, try typing 1234, and then tap Enter. 1234is a common default PIN for some SIM cards. If that PIN doesn't work, contact your mobile operator for the correct default PIN.

If you previously set a PIN for the SIM card in your phone (even if the SIM card was in another phone when you did it), type your PIN, and then tap Enter. The message SIM PIN enableddisplays briefly.

Full disk encryption:

Administrator password to access system preferences and install software AND logout after 15 minutes:

To require the admin password select the “Advanced…” button at the bottom of the “Security & Privacy” page and check the box for it. Do the same for the automatic logout, and be sure to set it to at most fifteen minutes.

infrared port disabled

look for the line containing "IR Receiver", in my case: /sys/bus/usb/devices/2-1.1/product IR Receiver The string you need from this step is "2-1.1"

sudo emacs /etc/rc.local

add this line right before "exit 0", repacing "2-1.1" with whatever you found in step 3): echo "2-1.1" |tee /sys/bus/usb/drivers/usb/unbind

save and reboot

remote management for authorized accounts (OSU IT) only

BIOS password

Power on the system. As soon as the first logo screen appears, immediately press the F2 key, or the DEL key if you have a desktop, to enter the BIOS.

Use the arrow keys to navigate to Security or BIOS Security Features.

Highlight Set Supervisor Password or Change Supervisor Password and press the ENTER key.

You will be prompted to enter a password, and a second time to verify it. To create the password, use only alphanumeric characters like A-Z, a-z, 0-9.

Press ENTER to confirm password creation.

A message will appear stating Changes have been saved. Press ENTER to continue.

Press the F10 key to save changes and restart the system.

Remote access restricted

Use public/private key pairs for authentication instead of passwords.

Generate a passphrase-protected SSH key for every computer that needs to access the server:

ssh-keygen

Permit public-key SSH access from the allowed computers:

Copy the contents of ~/.ssh/id_rsa.pub from each computer into individual lines of ~/.ssh/authorized_keys on the server, or run ssh-copy-id [server IP address] on every computer to which you are granting access (you'll have to enter the server password at the prompt.)

Disable password SSH access:

Open /etc/ssh/sshd_config, find the line that says #PasswordAuthentication yes, and change it to PasswordAuthentication no. Restart the SSH server daemon to apply the change (sudo service ssh restart.)

Now, the only possible way to SSH into the server is to use a key that matches a line in ~/.ssh/authorized_keys. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.

use of administrator account for day-to-day access prohibited

Never login as Root, always use sudo for anything that requires administrative access.

require administrator password to access system preferences and install software

password complexity and length (min. of 14 characters)

To change your password in Linux execute the following command:

passwd

Password rotation

To require password changes every 180 days (6 months) you can run this command on any Linux machine.

sudo chage -M 180 [username]

Quarterly vulnerability scan and found vulnerabilities addressed:

Install Lynis and run a check on the system, address all warnings and errors. Adhere to all of the suggestions at the end of the report.

Encryption:

The recommended way to encrypt a windows machine is with Bitlocker. If you are using a Professional version of Windows Bitlocker is included in Windows.

To see if you have bitlocker already search for “Bitlocker” in the startmenu. If it is there click on it. You will be brought to a page where you can turn on bitlocker for any particular drive.

clicking turn on bitlocker will begin the process of encrypting the drive.

Locked Screensaver:

To turn on a locked screensaver after 15 minutes perform the following steps.

Open the start menu and go to the control panel. Go to Appearance and Personalization and the Personalization. Then click on screensaver in the bottom right

Sharing:

To disable all sharing on windows follow the same steps as for disabling file and printer sharing on windows but also in the same window turn off public folder sharing and media streaming.

BIOS password:

Enabling a BIOS password on a machine is different for every bios. But in order to get to those settings you have to convince windows to let you boot into the BIOS. To do this typically you need to be pressing F2 during boot although the key could change based on the manufacturer.

After clicking there you will be presented with options. Make sure to select the time to be 15 minutes and make sure to check the box that prompts for a login when resuming.

Virtual Server Environments: All security controls apply both to the host and guest virtual machines in a virtual server environment. Cannot share the same virtual host environment with guest servers of other security classifications.

Physical Security: Must be hosted in a secure Data Center with Physical Access monitored, logged and limited to authorized individuals 24x7.

Backup Media:All backup media must be encrypted. If stored off-site, a secure location is required.

Linux (or similar), OS X:

Required: Field level encryption for protected fields in database, removable back-up media encrypted using 256-bit symmetric-key encryption, monthly authenticated vulnerability scans performed by Office of Information Security, authentication and security logs retained for six months and made available to Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner (based on criticality,) annual security audit. Transmission of confidential information requires the use of TLS v 1.2 and cannot use self-signed certificates.

Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use. Host-based software IDS/IPS.

Microsoft Windows:

Required: Field level encryption for protected fields in database, removable backup media encrypted using 256-bit symmetric-key encryption, use of Best Practice Analyzer, security and system logs retained for six months and made available to Office of Information Security, monthly authenticated vulnerability scans performed by Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner, based on criticality, annual security audit. Transmission of confidential information requires the use of TLS v 1.1 and cannot use self-signed certificates.

Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use, host-based software IDS/IPS.